-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encrypt CA key with password #2
Comments
Minica generated key and cert won't be valid on other than localhost machines. There's virtually no risk if they made it into the wild, yes? |
This key can be used to attack only this one machine, yes. But this isn't same as "no risk", at least for owner of that machine. |
I understand. I really didn't say no risk at all. I said virtually no risk. If someone gains level access to the file system on the host storing the local project key.pem I'd say the least of my worries would be MIM attacks. But everyone has to evaluate risk vs reward vs defense against disclosure/intrusion. |
The parameter was not being used (i.e. even if autoCreate == false the CA would be created).
While minica is designed for local use it's CA key still can be stolen and used for MitM attack targeted on minica user. Please make it possible to manually control which certificates are signed using this CA by adding optional encryption of CA key with password.
BTW, just curious, why did you decide to use Go instead of writing shell script to just execute openssl? Is certificates generated by minica somehow differs from openssl ones, or there some other differences?
The text was updated successfully, but these errors were encountered: